Goatse Security tells AT&T: ‘You f---ed up’

Escher Auernheimer, a member of Goatse Security, said in a statement Monday that AT&T “f***ed up” when it deployed a Web application that contained logic flaws. The application itself was the reason the security firm was able to access more than one-hundred thousand iPad owner’s email addresses.

In a response to a letter sent to AT&T’s customers this weekend, where the company apologized for the email incident and any inconvenience it may have caused, Goatse Security member Escher Auernheimer said:

“You f---ed up, we helped you that figure [sic] out and informed the public. You should thank us, but you can keep on sh**-talking if you want. We know what we did was right.” [Link]

On Friday, The Tech Herald reported on a story from Gawker Media detailing a Web application flaw on AT&T’s site that exposed 114,000 email addresses, some of which belonged to heavy hitters in both news and politics (the original story is here and the update is here).

After the Gawker story broke, there was a lot of attention from the media as well as the FBI. On Sunday, AT&T issued an apology letter to customers about the incident that contained some interesting comments aimed at Goatse Security.

In the letter, AT&T called Goatse’s actions malicious, referring to the group as “hackers” who had exploited a function designed to make customer’s iPad log-ins faster, “...by pre-populating an AT&T authentication page” with the email address used to register the iPad to their 3G service.

As we mentioned in another story (link), the explanation given by AT&T in its official letter clearly describes a logic flaw.

“The hackers deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer email addresses. They then put together a list of these emails and distributed it for their own publicity,” AT&T explained.

This point was specifically addressed by Auernheimer in Goatse’s answering statement.

“I'll tell you this, the finder of the AT&T email leak spent just over a single hour of labor total (not counting the time the script ran with no human intervention) to scrape the 114,000 emails. If you see this as 'great efforts', so be it.”

As for the disclosure method itself, AT&T has said that Goatse never contacted it to report the vulnerable Web application. This has led some to calling Goatse unethical.

However, Goatse indirectly contacted AT&T through a third-party. This third-party is the same business customer AT&T has made mention of in both its letter to customers and press statements.

“If not for our firm talking about the exploit to third parties who subsequently notified them, they would have never fixed it and it would likely be exploited by the RBN or the Chinese, or some other criminal organization or government (if it wasn’t already),” Auernheimer noted.

“AT&T had plenty of time to inform the public before our disclosure. It was not done. Post-patch, disclosure should be immediate -- within the hour. Days afterwards is not acceptable ...even in this disclosure, which I feel they would not have made if we hadn’t publicized this vulnerability, AT&T is being dishonest about the potential for harm.”

The potential for harm, as Auernheimer pointed out, includes an exploit targeting a vulnerability in Safari on the iPad that has been around for more than two months now. If leveraged, the vulnerability would turn the device into a Spam drone, a wordlist-based logon cracker for networks, or even a relay for payloads to arbitrary daemons.

The exploit was patched for OS X, but is quite functional on the iPad. It centers on Integer Overflows, where if an attacker wanted to bypass port blocking, all they would need to do is add '65,536' to whatever port they wish to target. For example, if they wanted to Spam people, they'd take '25 + 65,536' and target port '65,561'.

“The kicker is that this attack cannot be detected by any current IDS/IPS system. We released this in March, mind you, and Apple still hasn’t got around to patching this on the iPad! I know through personal experience that the patch time for an iPad vulnerability is over two months and counting,” Auernheimer said.

If you play the numbers, this exploit likely isn’t the only one for Apple’s newest device. It’s just publically known.

“AT&T is not highlighting the potential for a skilled attacker to use a Safari exploit, or other iPad application exploit based on this dataset to takeover the iPad. A complete list of iPad 3G customers (which could have been generated from this vulnerability) would have the ideal bit of data for those in the RBN with zero-day Safari exploits to acquire.”

“Given that, the number of parties which probably have active iPad exploits likely numbers in the hundreds, if not the thousands. The iPad simply is not a safe platform for those that require a secure environment,” Auernheimer said.

In conclusion to the public answer to AT&T’s letter, Auernheimer said that Goatse did what it did as a service to the nation.

“We love America and the idea of the Russians or Chinese being able to subvert American infrastructure is a nightmare. We understand that good deeds many times go punished, and AT&T is trying to crucify us over this. The fact remains that there was not a hint of maliciousness in our disclosure. We disclosed only to a single journalist and destroyed the data afterward. We did the right thing, and I will stand by the actions of my team and protect the finder of this bug no matter what the cost.”

When asked if it had any comments on Goatse’s statement addressing its official letter, AT&T said, “No. Our letter speaks for itself.”

Like this article? Please share on Facebook and give The Tech Herald a Like too!

From our Other Sites

Man Makes Tiny Edible Pancakes with Tiny Kitchen Tools (Video)

This Japanese guy cooks up some pancakes…nothing special there right? Well he uses tiny implements to do it and makes perfect little pancakes. Kinda cool and they look tasty!

What Color is this Dress?

White and Gold or Blue and Black?
Well this one has been trending all over the web, just what color is this dress? It all started in Scotland when the mother of a bride-to-be sent a picture to her daughter asking what she thought of the dress. The bride and groom each saw the image differently, this then got posted online and picked up by some viral sites. The lighting in photo is probably  causing different people to see it as either white and gold or blue and black. Prof Stephen Westland, chair of color science and technology at a University in the UK told the BBC that it was impossible to see what other people see but that it was most […]

McLaren 675LT Pictures

Some great shots of the forthcoming McLaren 675LT. This coupe will get you to 60mph in less than 2.9 second and go all the way to 205mph.

McLaren 675LT Details

McLaren’s 675LT will debut at this year’s Geneva show and promises some eye-popping performance. The coupe only 675LT has a 3.8 liter V8 that will get you from 0-60mph in less than 2.9 seconds and to 124mph in less than 7.9 secondsMore than a third of the parts have been changed compared with its stable mate […]

McLaren 675LT Wallpaper

Some cool McLaren 675LT Wallpaper. The McLaren 675LT is the latest coupe to come from the supercar maker and has a top speed of 205mph.Click on an image to open a page with multiple sizes that you can download to use as wallpaper for your mobile or desktop.More McLaren Wallpaper.

Octopus hunts on land, grabs crab (Video)

This crab is minding its own business searching the rock pools for food when suddenly an octopus leaps out of the water and grabs it. The amazing thing is that the octopus does not just jump on the crab it actually pulls it all the way back to the rock pool it came from. If you check the second video you will see it is not unknown for octopus to come out of the water and the one in the second video has a crab with it, though is not hunting one! Octopus Walks on Land at Fitzgerald Marine Reserve The video was taken by Porsche Indrisie in Yallingup, Western […]

Stunning Mars Rover Selfie

This image by the Curiosity Mars rover is not exactly your typical selfie. It is made up of a bunch of images taken by the rover during January 2015 by the Mars Hand Lens Imager. This (MAHLI) camera is at the end of the robot’s arm. For a sense of scale the rover’s wheels are about 20 inches diameter and 16 inches wide. Check the annotated image below for more information on the surroundings. Also if you really want to see some detail click this very large image, 36mb, at NASA.  

How the Sahara Helps Feed the Amazon (Video)

Sahara to Amazon
This cool video from NASA shows how dust is transferred across the Atlantic to the Amazon rainforest and helps nourish the plants growing there. For the first time scientists have measured the amount of dust and the amount of phosphorus in the dust. The later acts like a fertiliser and helps replenish the phosphorus the rainforest loses each year, around 22,000 tons. Amazing how something we perceive as being desolate like a desert actually has an important role in sustaining somewhere we see as teeming with life. Image and video from NASA’s Goddard Space Flight Center.

Bouncing Laser Guided Bomb (Video)

This amazing video shows a laser guided bomb bouncing back up after hitting its target. We actually think this is a non-explosive bomb designed to test guidance systems but it is still pretty remarkable and somewhat scary.

South Koreans Swallowed by Sinkhole (Video)

Thankfully the couple survived their adventure.
This amazing footage taken from the CCTV on a passing bus shows the moment two pedestrians in South Korea fall down a sinkhole in the street! Rescue workers managed to save the pair, who were treated in a nearby hospital for minor injuries. According to reports the city authorities and the Korean Geotechnical Society are looking into the cause.